Introduction to Information

Security
Chapter 1
Do not figure on opponents not
attacking; worry about your own
lack of preparation.
-- Book of the Five Rings

1
 Course Information

Course Title Information Security

Instructor Dr. Sarah Bukhari

Hour 3 hours

Email
bukhari_sarah@yahoo.com
 Rules

Late comers do not need to enter the class.

No compromise in study.

Misbehave in class would lead to fail.

Late assignment would not accept.

Don’t want to listen any excuse.

Daily oral test.

Always ready for surprise written test.

Learning Objectives:
Upon completion of this chapter you should be
able to:
– Understand what information security is and how it
came to mean what it does today.
– Comprehend the history of computer security and
how it evolved into information security.
– Understand the key terms and critical concepts of
information security as presented in the chapter.
– Outline the phases of the security systems
development life cycle.
– Understand the role professionals involved in
information security in an organizational structure.

Slide 4
What Is Information Security?
Information security in today’s enterprise
is a “well-informed sense of assurance
that the information risks and controls are
in balance.” –Jim Anderson, Inovant
(2002)

Slide 5
The History Of Information
Security

 Computer security began immediately after the first

mainframes were developed
 Groups developing code-breaking computations during
World War II created the first modern computers
 Physical controls were needed to limit access to
authorized personnel to sensitive military locations
 Only rudimentary controls were available to defend
against physical theft, espionage, and sabotage

Slide 6
Figure 1-1 – The Enigma

Slide 7
The 1960s
Department of Defense’s Advanced
Research Project Agency (ARPA) began
examining the feasibility of a redundant
networked communications
Larry Roberts developed the project from
its inception

Slide 8
Figure 1-2 - ARPANET

Slide 9
The 1990s
Networks of computers became more
common, so too did the need to
interconnect the networks
Resulted in the Internet, the first
manifestation of a global network of
networks
In early Internet deployments, security
was treated as a low priority

Slide 10
The Present
The Internet has brought millions of
computer networks into communication
with each other – many of them
unsecured
Ability to secure each now influenced by
the security on every computer to which it
is connected

Slide 11
 What Is Security?
 “The quality or state of being secure--to be free from
danger”
 To be protected from adversaries
 A successful organization should have multiple layers
of security in place:
– Physical security - to protect the physical items, objects, or areas of an organization
from unauthorized access and misuse.
– Personal security – to protect the individual or group of individuals who are authorized
to access the organization and its operations.
– Operations security – to protect the details of a particular operation or series of
activities.
– Communications security – to protect an organization’s communications media,
technology, and content.
– Network security – to protect networking components, connections, and contents.

Slide 12
What Is Information Security?
 The protection of information and its critical
elements, including the systems and hardware
that use, store, and transmit that information
 Tools, such as policy, awareness, training,
education, and technology are necessary
 The C.I.A. triangle was the standard based on
confidentiality, integrity, and availability
 The C.I.A. triangle has expanded into a list of
critical characteristics of information

Slide 13
Critical Characteristics Of Information
The value of information comes from the characteristics it possesses.
Availability - enables users who need to access information to do so without interference or obstruction and in
the required format. The information is said to be available to an authorized user when and where needed and in
the correct format.
Accuracy- free from mistake or error and having the value that the end-user expects. If information contains a
value different from the user’s expectations due to the intentional or unintentional modification of its content, it is
no longer accurate.
Authenticity - the quality or state of being genuine or original, rather than a reproduction or fabrication.
Information is authentic when it is the information that was originally created, placed, stored, or transferred.
Confidentiality - the quality or state of preventing disclosure or exposure to unauthorized individuals or systems.

Integrity - the quality or state of being whole, complete, and uncorrupted. The integrity of information is
threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic
state.
Utility - the quality or state of having value for some purpose or end. Information has value when it serves a
particular purpose. This means that if information is available, but not in a format meaningful to the end-user, it is
not useful.
Possession - the quality or state of having ownership or control of some object or item. Information is said to
be in possession if one obtains it, independent of format or other characteristic. While a breach of confidentiality
always results in a breach of possession, a breach of possession does not always result in a breach of
confidentiality.

Slide 14
Figure 1-3 – NSTISSC
Security Model

Slide 15
THE CAST OF CHARACTERS
 Alice and Bob are the good guys

 Trudy is the bad “guy”

 Trudy is our generic “intruder”

16
ALICE’S ONLINE BANK

 Alice opens Alice’s Online Bank (AOB)

 What are Alice’s security concerns?
 If Bob is a customer of AOB, what are his security concerns?
 How are Alice’s and Bob’s concerns similar? How are they
different?
 How does Trudy view the situation?

17
CIA

 CIA == Confidentiality, Integrity, and Availability (Authenticity)

 AOB must prevent Trudy from learning Bob’s account balance
 Confidentiality: prevent unauthorized reading of information
Cryptography used for confidentiality

18
CIA

 Trudy must not be able to change Bob’s account balance

 Bob must not be able to improperly change his own account
balance
 Integrity: detect unauthorized writing of information
Cryptography used for integrity

19
CIA

 AOB’s information must be available whenever it’s

needed
 Alice must be able to make transaction
 If not, she’ll take her business elsewhere
 Availability: Data is available in a timely manner
when needed
 Availability is a “new” security concern
 Denial of service (DoS) attacks

20
BEYOND CIA: CRYPTO

 How does Bob’s computer know that “Bob” is really Bob and not
Trudy?
 Bob’s password must be verified
 This requires some clever cryptography

 What are security concerns of pwds?

 Are there alternatives to passwords?

21
BEYOND CIA: PROTOCOLS

 When Bob logs into AOB, how does AOB know

that “Bob” is really Bob?
 As before, Bob’s password is verified
 Unlike the previous case, network security issues
arise
 How do we secure network transactions?
 Protocols are critically important
 Crypto plays critical role in protocols

22
BEYOND CIA: ACCESS CONTROL

 Once Bob is authenticated by AOB, then AOB must

restrict actions of Bob
 Bob can’t view Charlie’s account info
 Bob can’t install new software, etc.

 Enforcing these restrictions: authorization

 Access control includes both authentication and
authorization

23
BEYOND CIA: SOFTWARE

 Cryptography, protocols, and access control are

implemented in software
 Software is foundation on which security rests
 What are security issues of software?
 Real world software is complex and buggy
 Software flaws lead to security flaws
 How does Trudy attack software?
 How to reduce flaws in software development?
 And what about malware?

24
THE THREE OBJECTIVES OF
NETWORK SECURITY
 Confidentiality
 Integrity
 Availability
THE PEOPLE PROBLEM
 People often break security
 Both intentionally and unintentionally
 Here, we consider the unintentional
 For example, suppose you want to buy something online
 To make it concrete, suppose you want to buy Information Security:
Principles and Practice, 2nd edition from amazon.com

26
THE PEOPLE PROBLEM

 To buy from amazon.com…

 Your Web browser uses SSL protocol
 SSL relies on cryptography
 Access control issues arise
 All security mechanisms are in software
 Suppose all of this security stuff works perfectly
 Then you would be safe, right?

27
THE PEOPLE PROBLEM
 What could go wrong?
 Trudy tries man-in-the-middle attack
 SSL is secure, so attack doesn’t “work”
 But, Web browser issues a warning
 What do you, the user, do?
 If user ignores warning, attack works!
 None of the security mechanisms failed
 But user unintentionally broke security

28
THE THREE FOUNDATIONS OF
NETWORK SECURITY
 People
 Processes
 Technology
COMPUTER SECURITY

 Is defined as the protection afforded to an automated

information system in order to attain the applicable
objectives of preserving the integrity, availability
and confidentiality of information system resources
(includes hardware, software, firmware,
information/data, and telecommunications)

30
CIA TRIAD

31
KEY OBJECTIVES
 Confidentiality
 Data Confidentiality-information not disclosed to
unauthorized individuals
 Privacy– individuals control how their information is
collected, stored, shared
 Integrity
 Data integrity- Assures that information and programs are changed only
in a specified and authorized manner.
 System integrity- Assures that a system performs its intended function in
an unimpaired manner, free from deliberate or inadvertent unauthorized
manipulation of the system

Availability– service not denied to authorized users
.

 Authenticity- user is who he/she claims to be

32
SECURITY GOALS

 Confidentiality
 Concealment of information or resources
 Integrity
 Trustworthiness of data or resources
 Availability
 Ability to use information or resources

33
CONFIDENTIALITY

 Need for keeping information secret arises from use of

computers in sensitive fields such as government and
industry
 Access mechanisms, such as cryptography, support
confidentiality
 Example: encrypting income tax return

 Lost through unauthorized disclosure of information

34
 INTEGRITY

 Often requires preventing unauthorized changes

 Includes data integrity (content) and origin integrity
(source of data also called authentication)
 Include prevention mechanisms and detection
mechanisms
 Example: Newspaper prints info leaked from White House and
gives wrong source
 Includes both correctness and trustworthiness
 Lost through unauthorized modification or destruction
of information
35
AVAILABILITY

 Is an aspect of reliability and system design

 Attempts to block availability, called denial of service
attacks (DoS) are difficult to detect
 Example: bank with two servers –one is blocked, the other
provides false information
 Ensures timely and reliable access to and use of
information
 Lost through disruption of access to information or
information system

36
 AUTHENTICITY AND
ACCOUNTABILITY
Two additional objectives:
Authenticity- being genuine and able to be verified or
trust; verifying that users are who they say they are
Accountability-actions of an entity can be traced
uniquely to that entity; supports nonrepudiation,
deterrence, fault isolation, intrusion, detection and
prevention.

37
LEVELS OF IMPACT

 We can define 3 levels of impact from a security breach:

 Low
 Moderate
 High

38
SECURITY BREACH
LOW IMPACT
 Loss has limited adverse effect
 For example:
 Effectiveness of the functions of an organization are noticeably reduced
 Results in minor damage to organizational assets
 Results in minor financial loss
 Results in minor harm to individuals

39
 SECURITY BREACH
MODERATE IMPACT
 Loss may have serious adverse effect on organizational
operations, assets or individuals.
 For example:
 Effectiveness of the functions of an organization are significantly reduced
 Results in significant damage to organizational assets
 Results in significant financial loss
 Results in significant harm to individuals

40
 SECURITY BREACH
HIGH IMPACT
 Loss is expected to have severe or catastrophic adverse effect on
organizational operations, assets or individuals.
 For example:
 Effectiveness of the functions of an organization are reduced so
that the organization cannot perform its primary function(s).
 Results in major damage to organizational assets
 Results in major financial loss
 Results in severe or catastrophic harm to individuals, involving
loss of life or serious life-threatening injuries

41
 *SECURITY
 Motivation: Why do we need security?

 Increased reliance on Information technology with or with out the

use of networks

 The use of IT has changed our lives drastically.

 We depend on E-mail, Internet banking, and several other

governmental activities that use IT

 Increased use of E-Commerce and the World wide web on the

Internet as a vast repository of various kinds of information
(immigration databases, flight tickets, stock markets etc.)
42
SECURITY CONCERNS
 Damage to any IT-based system or activity can result in severe
disruption of services and losses
 Systems connected by networks are more prone to attacks
and also suffer more as a result of the attacks than stand-alone
systems (Reasons?)

 Concerns such as the following are common

 How do I know the party I am talking on the network is really the one I
want to talk?
 How can I be assured that no one else is listening and learning the data
that I send over a network
 Can I ever stay relaxed that no hacker can enter my network and play
havoc?

43
CONCERNS CONTINUED…
 Is the web site I am downloading information from a
legitimate one, or a fake?

 How do I ensure that the person I just did a financial

transaction denies having done it tomorrow or at a
later time?

 I want to buy some thing online, but I don’t want to

let them charge my credit card before they deliver
the product to me

44
 Passive attacks do not affect system resources
 Eavesdropping, monitoring
 Two types of passive attacks
 Release of message contents
 Traffic analysis
 Passive attacks are very difficult to detect
 Message transmission apparently normal
• No alteration of the data
 Emphasis on prevention rather than detection
• By means of encryption
Passive Attacks
Passive Attacks (2)
Traffic Analysis
 Active attacks try to alter system resources or
affect their operation
 Modification of data, or creation of false data
 Four categories
 Masquerade
 Replay
 Modification of messages
 Denial of service: preventing normal use
• A specific target or entire network
 Difficult to prevent
 The goal is to detect and recover
Active Attacks (1)
Masquerade
Active Attacks (2)
Replay
 Active Attacks (3)
Modification of Messages
Active Attacks (4)
Denial of Service
Summary of Passive and Active Threats

53
Key Information Security Concepts
 Access: A subject or object’s ability to use, manipulate, modify, or
affect another subject or object. Authorized users have legal access to a
system, whereas hackers have illegal access to a system. Access
controls regulate this ability.
 Asset: The organizational resource that is being protected. An asset
can be logical, such as a Web site, information, or data; or an asset
can be physical, such as a person, computer system, or other
tangible object. Assets, and particularly information assets, are the
focus of security efforts; they are what those efforts are attempting to
protect.
 Attack: An intentional or unintentional act that can cause damage
to or otherwise compromise information and/or the systems that
support it. Attacks can be active or passive, intentional or
unintentional, and direct or indirect. Someone casually reading sensitive
information not intended for his or her use is a passive attack. A hacker
attempting to break into an information system is an intentional attack.

Slide 54
Slide 55
 Control, safeguard, or countermeasure: Security mechanisms, policies, or
procedures that can successfully counter attacks, reduce risk, resolve
vulnerabilities, and otherwise improve the security within an organization. The
various levels and types of controls are discussed more fully in the following
chapters.
 Exploit: A technique used to compromise a system. This term can be a
verb or a noun. Threat agents may attempt to exploit a system or other
information asset by using it illegally for their personal gain. Or, an exploit can
be a documented process to take advantage of a vulnerability or exposure,
usually in software, that is either inherent in the software or is created by the
attacker. Exploits make use of existing software tools or custom-made
software components.
 Exposure: A condition or state of being exposed. In information security,
exposure exists when a vulnerability known to an attacker is present.
 Loss: A single instance of an information asset suffering damage or
unintended or unauthorized modification or disclosure. When an
organization’s information is stolen, it has suffered a loss.

Slide 56
 Protection profile or security posture: The entire set of controls
and safeguards, including policy, education, training and
awareness, and technology, that the organization implements (or
fails to implement) to protect the asset. The terms are sometimes
used interchangeably with the term security program, although
the security program often comprises managerial aspects of
security, including planning, personnel, and subordinate programs.
 Risk: The probability that something unwanted will happen.
Organizations must minimize risk to match their risk appetite—the
quantity and nature of risk the organization is willing to accept.
 Subjects and objects: A computer can be either the subject of an
attack—an agent entity used to conduct the attack—or the object
of an attack—the target entity. A computer can be both the subject
and object of an attack, when, for example, it is compromised by an
attack (object), and is then used to attack other systems (subject).

Slide 57
 Threat: A category of objects, persons, or other entities that
presents a danger to an asset. Threats are always present and can
be purposeful or undirected. For example, hackers purposefully
threaten unprotected information systems, while severe storms
incidentally threaten buildings and their contents.
 Threat agent: The specific instance or a component of a threat.
For example, all hackers in the world present a collective threat,
while Kevin Mitnick, who was convicted for hacking into phone
systems, is a specific threat agent. Likewise, a lightning strike,
hailstorm, or tornado is a threat agent that is part of the threat of
severe storms.
 Vulnerability: A weaknesses or fault in a system or protection
mechanism that opens it to attack or damage. Some examples of
vulnerabilities are a flaw in a software package, an unprotected
system port, and an unlocked door. Some well-known vulnerabilities
have been examined, documented, and published; others remain
latent (or undiscovered).

Slide 58
Components of an Information
System

 To fully understand the importance of

information security, you need to know the
elements of an information system

 An Information System (IS) is much more than

computer hardware; it is the entire set of
software, hardware, data, people, and
procedures necessary to use information as a
resource in the organization

Slide 59
Securing the Components
The computer can be either or both the
subject of an attack and/or the object of
an attack
When a computer is
– the subject of an attack, it is used as an
active tool to conduct the attack
– the object of an attack, it is the entity being
attacked

Slide 60
Figure 1-5 – Subject and
Object of Attack

Slide 61
Components of an Information System

Slide 62
Balancing Security and
Access
It is impossible to obtain perfect security
- it is not an absolute; it is a process
Security should be considered a balance
between protection and availability
To achieve balance, the level of security
must allow reasonable access, yet
protect against threats

Slide 63
Figure 1-6 – Balancing
Security and Access

Slide 64
Bottom Up Approach
Security from a grass-roots effort -
systems administrators attempt to
improve the security of their systems
Key advantage - technical expertise of the
individual administrators
Seldom works, as it lacks a number of
critical features:
– participant support
– organizational staying power
Slide 65
Figure 1-7 – Approaches to
Security Implementation

Slide 66
Top-down Approach
 Initiated by upper management:
– issue policy, procedures, and processes
– dictate the goals and expected outcomes of the project
– determine who is accountable for each of the required
actions
 This approach has strong upper management
support, a dedicated champion, dedicated funding,
clear planning, and the chance to influence
organizational culture
 May also involve a formal development strategy
referred to as a systems development life cycle
– Most successful top-down approach

Slide 67
The Systems Development
Life Cycle
Information security must be managed in
a manner similar to any other major
system implemented in the organization
Using a methodology
– ensures a rigorous process
– avoids missing steps
The goal is creating a comprehensive
security posture/program

Slide 68
Figure 1-8 – SDLC Waterfall
Methodology

Slide 69
SDLC and the SecSDLC
The SecSDLC may be
– event-driven - started in response to some
occurrence or
– plan-driven - as a result of a carefully
developed implementation strategy
At the end of each phase comes a
structured review

Slide 70
Investigation
What is the problem the system is being
developed to solve?
– The objectives, constraints, and scope of the
project are specified
– A preliminary cost/benefit analysis is
developed
– A feasibility analysis is performed to
assesses the economic, technical, and
behavioral feasibilities of the process

Slide 71
Analysis

 Consists primarily of
– assessments of the organization
– the status of current systems
– capability to support the proposed systems
 Analysts begin to determine
– what the new system is expected to do
– how the new system will interact with existing systems
 Ends with the documentation of the findings and
a feasibility analysis update

Slide 72
Logical Design
 Based on business need, applications are
selected capable of providing needed services
 Based on applications needed, data support
and structures capable of providing the needed
inputs are identified
 Finally, based on all of the above, select specific
ways to implement the physical solution are
chosen
 At the end, another feasibility analysis is
performed

Slide 73
Physical Design
Specific technologies are selected to
support the alternatives identified and
evaluated in the logical design
Selected components are evaluated
based on a make-or-buy decision
Entire solution is presented to the end-
user representatives for approval

Slide 74
Implementation
Components are ordered, received,
assembled, and tested
Users are trained and documentation
created
Users are then presented with the system
for a performance review and acceptance
test

Slide 75
Maintenance and Change
Tasks necessary to support and modify
the system for the remainder of its useful
life
The life cycle continues until the process
begins again from the investigation phase
When the current system can no longer
support the mission of the organization, a
new project is implemented

Slide 76
Security Systems
Development Life Cycle
The same phases used in the traditional
SDLC adapted to support the specialized
implementation of a security project
Basic process is identification of threats
and controls to counter them
The SecSDLC is a coherent program
rather than a series of random, seemingly
unconnected actions

Slide 77
Investigation
Identifies process, outcomes and goals of
the project, and constraints
Begins with a statement of program
security policy
Teams are organized, problems analyzed,
and scope defined, including objectives,
and constraints not covered in the
program policy
An organizational feasibility analysis is
performed
Slide 78
Analysis
Analysis of existing security policies or
programs, along with documented current
threats and associated controls
Includes an analysis of relevant legal
issues that could impact the design of the
security solution
The risk management task (identifying,
assessing, and evaluating the levels of
risk) also begins
Slide 79
Logical & Physical Design
 Creates blueprints for security
 Critical planning and feasibility analyses to
determine whether or not the project should
continue
 In physical design, security technology is
evaluated, alternatives generated, and final
design selected
 At end of phase, feasibility study determines
readiness so all parties involved have a chance
to approve the project

Slide 80
Implementation
The security solutions are acquired (made
or bought), tested, and implemented, and
tested again
Personnel issues are evaluated and
specific training and education programs
conducted
Finally, the entire tested package is
presented to upper management for final
approval
Slide 81
Maintenance and Change
The maintenance and change phase is
perhaps most important, given the high
level of ingenuity in today’s threats
The reparation and restoration of
information is a constant duel with an
often unseen adversary
As new threats emerge and old threats
evolve, the information security profile of
an organization requires constant
adaptation
Slide 82
Slide 83
Security Professionals and the
Organization
It takes a wide range of professionals to
support a diverse information security
program
To develop and execute specific security
policies and procedures, additional
administrative support and technical
expertise is required

Slide 84
Senior Management
 Chief Information Officer
– the senior technology officer
– primarily responsible for advising the senior
executive(s) for strategic planning
 Chief Information Security Officer
– responsible for the assessment, management, and
implementation of securing the information in the
organization
– may also be referred to as the Manager for Security,
the Security Administrator, or a similar title

Slide 85
Security Project Team
A number of individuals who are experienced in
one or multiple requirements of both the
technical and non-technical areas:
– The champion
– The team leader
– Security policy developers
– Risk assessment specialists
– Security professionals
– Systems administrators
– End users

Slide 86
Data Ownership
Data Owner - responsible for the security
and use of a particular set of information
Data Custodian - responsible for the
storage, maintenance, and protection of
the information
Data Users - the end systems users who
work with the information to perform their
daily jobs supporting the mission of the
organization
Slide 87
Communities Of Interest
Each organization develops and
maintains its own unique culture and
values. Within that corporate culture,
there are communities of interest:
– Information Security Management and
Professionals
– Information Technology Management and
Professionals
– Organizational Management and
Professionals

Slide 88
Information Security: Is It an
Art or a Science?
With the level of complexity in today’s
information systems, the implementation
of information security has often been
described as a combination of art and
science

Slide 89
Security as Art
No hard and fast rules nor are there many
universally accepted complete
solutions
No magic user’s manual for the security
of the entire system
Complex levels of interaction between
users, policy, and technology controls

Slide 90
Security as Science
Dealing with technology designed to
perform at high levels of performance
Specific conditions cause virtually all
actions that occur in computer systems
Almost every fault, security hole, and
systems malfunction is a result of the
interaction of specific hardware and
software
If the developers had sufficient time, they
could resolve and eliminate these faults
Slide 91
Security as a Social Science
Social science examines the behavior of
individuals interacting with systems
Security begins and ends with the
people that interact with the system
End users may be the weakest link in
the security chain
Security administrators can greatly reduce
the levels of risk caused by end users,
and create more acceptable and
supportable security profiles
Slide 92
Exercises
Classify each of the following as an attack on confidentiality, integrity,
and/or availability (more than one may apply). Justify your answers.

1. John copies Mary's homework

2. Paul crashes Linda's system
3. Carol changes the amount of Angelo's check from $100 to $1,000
4. Gina forges Roger's signature on a deed
5. Rhonda registers the domain name "AddisonWesley.com" and
refuses to let the publishing house buy or use that domain name
6. Jonah obtains Peter's credit card number and has the credit card
company cancel the card and replace it with another card bearing a
different account number
7. Henry spoofs Julie's IP address to gain access to her computer

Slide 93
Consider an automated teller machine (ATM) in
which users provide a personal identification
number (PIN) and a card for account access.
Give examples of confidentiality, integrity, and
availability requirements associated with the
system. In each case, indicated the degree of
importance of the requirement.

Slide 94
1. Consider the statement: an individual threat agent,
like a hacker, can be a factor in more than one
threat category. If a hacker hacks into a network,
copies a few files, defaces the Web page, and
steals credit card numbers, how many different
threat categories does this attack fall into?

Slide 95
Differences
Availability
Accuracy-
Authenticity

Slide 96